The way LaBrea works is to discover unused IP addresses on your network, and set up "virtualcomputers" with made-up MAC addresses on these IPs. When a worm comes scanning, it is likely to hit some of these virtual addresses -- in which case LaBrea forges packets to respond as if the virtual computer were a real host. A real, very slow host, that is: LaBrea does the bare minimum necessary under the rules of TCP to keep the session open; it never acknowledges a single packet. The result is that the worm's network socket is tied up in a wait state, awaiting permission to send data ... which never comes. This delay prevents the worm thread from going on to attack other addresses, and ties up resources on the attacking system.

A LaBrea virtual session takes up almost no network resources on the supporting host: it doesn't use a "real" kernel-supported TCP session, sends the absolute minimum number of packets and octets necessary to keep the other end from timing out, and hence puts next to no load on the local network and the Internet. It doesn't even use a significant quantity of CPU time or memory. The imbalance between LaBrea's light local footprint and the large impact it makes on the remote worm host is what makes it a good strategy.

(In general, any attempt to tie up or deplete another host's resources must work around the basic equality of TCP/IP: it must create some such imbalance in order to avoid depleting its own host's resources equally. Usually, this is done with packet forgery. Perhaps the first example of this was the SYN attack, in which a remote server system is tricked into allocating TCP ports and session blocks for infinite numbers of forged, nonexistent client sessions. LaBrea could be thought of as a reverse SYN attack: a remote client system, the worm host, is tricked into wasting time trying to talk to a server that isn't even listening.)

In order for LaBrea to be truly effective in fighting worms, there need to be a large number of networks using it. Currently, it is available for Linux and NetBSD, and for the Trinux mini-distribution. You can download it from http://www.hackbusters.net/LaBrea or any of the mirror nodes linked from that site.

Update, 10/2/2001: If you have any Macintosh computers on your subnet, go get LaBrea v2.2. The method by which Mac OS checks for IP address collision conflicts with earlier versions.